Custom commands with git-shell

Question

How to create custom commands for git-shell? According to the documentation:

When -c is given, the program executes non-interactively; can be one of git receive-pack, git upload-pack, git upload-archive, cvs server, or a command in COMMAND_DIR. The shell is started in interactive mode when no arguments are given; in this case, COMMAND_DIR must exist, and any of the executables in it can be invoked.

However, I'm not sure I'm understanding this correctly. I created a user called gituser, and gave him /usr/bin/git-shell as a shell. I created a directory called git-shell-commands, and put a script called 'testy' in it, but I can't make it run via git-shell.

Here is what I'm trying from an other machine:

$ ssh [email protected] testy
fatal: unrecognized command 'testy'

Note that git-shell is working, and responding, it just can't find my custom command.

And here is the script:

:/home/gituser/git-shell-commands# ls -l -a
total 12
drwxr-xr-x 2 gituser gituser 4096 Jan 22 17:35 .
drwxr-xr-x 4 gituser gituser 4096 Jan 22 13:57 ..
-rwxr-xr-x 1 gituser gituser   26 Jan 22 13:58 testy
:/home/gituser/git-shell-commands# ./testy
hello!
:/home/sodigit/git-shell-commands# cat testy
echo "hello!"

What am I doing wrong? How to run custom commands with git-shell?

Answer 1

As it turned out, this feature has been introduced in git 1.7.4. I am using debian squeeze, wich contains an older version of git, so that was why it did not work.

If you experience this problem, check your git version.

However, as of git 1.7.10, the custom commands only work in interactive mode, and not with -c. I haven't tried the newest git though, so it is possible that this problem is unrelated to the version of the software.

Answer 2

To allow custom commands for pre-1.7.4 (and in non-interactive mode for 1.7.10), you can use a shell script wrapper for git-shell:

#!/bin/bash                                                                     

cmdline=($1)
cmd=$(basename "${cmdline[0]}")

if [ -z "$cmd" ] ; then
    exec git-shell
elif [ -n "$cmd" -a -x ~/git-shell-commands/"$cmd" ] ; then
    ~/git-shell-commands/"$cmd" "${cmdline[@]:1}"
else
    exec git-shell -c "$1"
fi

Wherever you would normally use "git-shell", refer to this script instead, though leave out any "-c" argument to this script.

As with git-shell, the above script requires that the entire command line be passed as the first argument. If you'd rather pass the command line as separate arguments:

#!/bin/bash                                                                     

cmd=$(basename $1)

if [ -z "$cmd" ] ; then
    exec git-shell
elif [ -n "$cmd" -a -x ~/git-shell-commands/"$cmd" ] ; then
    shift
    ~/git-shell-commands/"$cmd" "$@"
else
    exec git-shell -c "$*"
fi

For example, this lets you invoke the restricted shell in authorize_keys as:

command="sshsh $SSH_ORIGINAL_COMMAND" ...

Note that neither script creates an interactive mode for pre-1.7.4 (attempting to start an interactive session will result in a "fatal: What do you think I am? A shell?" error from git-shell), but shouldn't interfere with interactive mode in 1.7.4 and newer.

Disclaimer: this has not been vetted for security holes. Use at your own risk. In particular, each command in ~/git-shell-commands is a potential security hole (though this is true of git-shell 1.7.4 and later, even without any of the above scripts).